Page Index Toggle Pages: [1] 2 
Topic Tools
Hot Topic (More than 10 Replies) Stupid question regarding referrer security (Read 3,826 times)
batchman
Support Team
****
Offline



Posts: 376
Location: Orlando, FL
Stupid question regarding referrer security
May 22nd, 2013 at 2:38pm
Post Tools
So here's the text from referrer security ...

Code
Select All
Select Board Actions (action=... in the URL) which are allowed from outside your own board domainname.
"Activate Referrer Security Checking?" must be checked in Security Center => Security Settings => General for it to work! 



This would seem to indicate that the actions that are checked are the specific actions you will allow from outside your own domain.

So when I check to see what actions are checked, there are only five or six actions that I am allowing from outside my domain, but they are some big ones like register or profile.

Which leaves me worried ... am I an idiot to be allowing these from outside my own domain, or should I have things reversed and be allowing these only from my own domain, and everything else from everywhere?

Yes, sometimes I can be an idiot who doesn't understand what I should ... but I figured I would doublecheck and make sure I have this set up right on my forums.
  
Back to top
 
IP Logged
 
Elrick.
Forum Moderator
YaBB Moderators
Beta Testers
*****
Offline



Posts: 165
Location: Edge of the Abyss

YaBB 2.6.1
Re: Stupid question regarding referrer security
Reply #1 - May 22nd, 2013 at 3:26pm
Post Tools
A very pertinent question Batchman. The only ones checked in my forums are:

Display
Login
Logout
Messageindex
Resetpass

and always works as intended! Wink
  

There is no direct experience of reality without interpretation; and all interpretation is corrupted by the cultural and personal prejudices or prejudgments of the interpreter. ~ Elrick
Back to top
 
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,737
Location: Los Angeles

YaBB 2.4
Re: Stupid question regarding referrer security
Reply #2 - May 22nd, 2013 at 4:20pm
Post Tools
batchman wrote on May 22nd, 2013 at 2:38pm:
... there are only five or six actions that I am allowing from outside my domain ...

I think an unfortunate mistake many admins make is to restrict access to their forums far too much with the Referrer Security feature. Too many do the same with Derek's Anti Spam Question mod when they ask questions only a minority of people can answer. But I digress.

For instance, why would an admin want to restrict access to their help section? That is one place I include contact information in case somebody's access to our forum is restricted, etc.

How about the RSS feed? That's an otherwise nice way to promote a forum. Or the sendtopic features?

Another example is that we have fans of our forum who provide registration from outside of our domain. Thankfully, because YaBB now has superb options to stop spam-bots, restricting the ability to register is no longer needed.

While I do believe Referrer Security is a feature admins should most surely use, I think they can better serve their forum's community by relaxing those restrictions.

My suggestion is to allow as many actions/features as you think you'd enjoy as a guest and potential member, and then work backwards by eliminating those actions/features when you see they're causing a problem.

In fact, just as an experiment that I'm guessing is likely to fail, I've nonetheless just de-activated Referral Security Checking. Perhaps foolishly I guess, I'm curious to see what might happen.

Edited:
For the record, and this is something I had completely forgotten about, I had de-activated Referral Security Checking back in January of 2012, and had it off for almost an entire year without a problem (thanks to ggn's anti-spam CAPTCHA hack).

I had only reactivated it later on because knowledgeable admins told me I should. Roll Eyes

Keep your fingers crossed for me. Roll Eyes

« Last Edit: May 23rd, 2013 at 7:45am by Bill Myers »  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: Stupid question regarding referrer security
Reply #3 - May 22nd, 2013 at 8:28pm
Post Tools
Bill Myers wrote on May 22nd, 2013 at 4:20pm:
batchman wrote on May 22nd, 2013 at 2:38pm:
... there are only five or six actions that I am allowing from outside my domain ...

I think an unfortunate mistake many admins make is to restrict access to their forums far too much with the Referrer Security feature. Too many do the same with Derek's Anti Spam Question mod when they ask questions only a minority of people can answer. But I digress.

For instance, why would an admin want to restrict access to their help section? That is one place I include contact information in case somebody's access to our forum is restricted, etc.

How about the RSS feed? That's an otherwise nice way to promote a forum. Or the sendtopic features?

Another example is that we have fans of our forum who provide registration from outside of our domain. Thankfully, because YaBB now has superb options to stop spam-bots, restricting the ability to register is no longer needed.

While I do believe Referrer Security is a feature admins should most surely use, I think they can better serve their forum's community by relaxing those restrictions.

My suggestion is to allow as many actions/features as you think you'd enjoy as a guest and potential member, and then work backwards by eliminating those actions/features when you see they're causing a problem.

In fact, just as an experiment that I'm guessing is likely to fail, I've nonetheless just de-activated referral security checking. Perhaps foolishly I guess, I'm curious to see what might happen.

Keep your fingers crossed for me. Roll Eyes



we have been over Referrer Security

from http://www.yabbforum.com/community/YaBB.pl?num=1351872351#32
xnoddyx wrote on Nov 11th, 2012 at 12:01am:
Jkulin wrote on Nov 10th, 2012 at 11:19pm:
Thanks Lads, (Weird I could have sworn I replied)

Activate Referrer Security Checking is checked and always was.

I have unchecked login and log-off in the referrer security, what does that do and will the general public see any difference?

i had the same prob with my last post
as to login and log-off in the referrer security they should've been unchecked and the same for login2, register, register2
what this is for is to stop Requests, Actions from outside your domain/url to YaBB can you check and see if login2, register, register2 are still unchecked



you can also see some more here
http://testbed.dandello.net/cgi-bin/yabb254/YaBB.pl?num=1359402117/0

but getting down to the bare bones of it if you turn off referrer security or let login2, register, register2 past referrer security as in to open it up you will leave yourself more open to spam attacks. <<< this has been tested and confirmed.

hope this is of help to you.  Smiley
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,737
Location: Los Angeles

YaBB 2.4
Re: Stupid question regarding referrer security
Reply #4 - May 23rd, 2013 at 7:21am
Post Tools
xnoddyx wrote on May 22nd, 2013 at 8:28pm:
... if you turn off referrer security or let login2, register, register2 past referrer security as in to open it up you will leave yourself more open to spam attacks. <<< this has been tested and confirmed.

Have you ever tried deactivating Referral Security Checking? You'll never know until you try. Wink

I can tell you firsthand that spam-bots haven't been able to harm our forum even though its Referral Security Checking has been disabled. I'm not the only forum admin who's done this.

I believe the key factor for this is using ggn's anti-spam CAPTCHA hack, which was authored into a mod by Derek Barnstorm. You can see it in action near the bottom of Dandello's YaBB 2.5.4 Alpha test bed forum after clicking General Board.

Unfortunately, the perception that YaBB is easily, and successfully attacked by spam-bots has been so pervasive over the years, even highly educated, and otherwise experienced admins actually believe it's not possible to stop spam-bots.

Please excuse the expression, but I beat a dead horse about this issue for a very long time with the admin of this forum, but for whatever reason he simply refused to give ggn's anti-spam CAPTCHA hack a try.

Who knows what spam-bot automation will come up with next? But for those of us who've been using ggn's anti-spam CAPTCHA hack (available for use since December of 2011), spam-bots haven't been a concern.

As for reactivating Referral Security Checking, if or when it's needed, I'll happily use that feature again. Until then, why bother? As long as spam-bots remain defeated, there's no point in using it.

*************************************

Even over at Dandello's test bed forum (see this topic), there's apprehension about allowing YaBB's perfectly capable anti-spam tools to do its job. Instead, the tendency is to default to possibly unnecessary, and restrictive referral security settings.

It's defeatism born from fear of spam-bots, which means they win right from the start. Sad

« Last Edit: May 23rd, 2013 at 7:47am by Bill Myers »  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: Stupid question regarding referrer security
Reply #5 - May 23rd, 2013 at 10:47am
Post Tools
Bill Myers wrote on May 23rd, 2013 at 7:21am:
Have you ever tried deactivating Referral Security Checking? You'll never know until you try.

believe it or not yes I do from time to time to do some tracking and check out the malicious attempts on some of my forums I have been using yabb for many years as a user but when yabb 2.3.1 come out on its first day that is when i started using yabb as a YaBB forum owner as i had taken ownership of a gaming clan and there game server and website that was running YaBB 2.2 but it was a closed forum and i wanted to open it up to try and increase the players and with in two to three months of the update to yabb 2.3.1 and it being open the spam started big time and making edits to the CAPTCHA to stop the spam also made the CAPTCHA unreadable but with trial and error in the yabb setting I found that turning on Proxy Blocking and Referral Security Checking for login2, register2, print stopped almost all of the spam I also found out that blocking print in Referral Security Checking stopped visitors from google clicking on link to a print page from google you can see that here with this forum https://www.google.co.uk/#sclient=psy-ab&q=site:yabbforum.com%2Fcommunity%2FYaBB...

so I don't have print blocked on any of my forums now but back to the spam I will call the spam level we was getting 100% and after Proxy Blocking and Referral Security Checking for login2, register2 the spam level when down to 5 - 10% and that was a big improvement also at the same time there where no complaints of anyone not able to login or use the forum at any time so out of that i will always have Proxy Blocking and Referral Security Checking for login2, register2 on but it is up to you if you take my advice or not.

Edited:
also to add the gaming clan closed down at the end of 2011 as the cost of running the game server was just too much
« Last Edit: May 23rd, 2013 at 10:53am by xnoddyx »  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,737
Location: Los Angeles

YaBB 2.4
Re: Stupid question regarding referrer security
Reply #6 - May 23rd, 2013 at 3:41pm
Post Tools
xnoddyx wrote on May 23rd, 2013 at 10:47am:
... i will always have Proxy Blocking and Referral Security Checking for login2, register2 on but it is up to you if you take my advice or not.
I'm very glad you mentioned this because it illustrates my point quite nicely. Smiley

The fact is, you're one of the best experts I've ever seen when it comes to operating YaBB. I've been seriously impressed when you've helped others with their problems. So for me personally, when you give advice about YaBB, I take it without question because I'm confident your advice will be solid, which simply means it should be followed.

That means, regarding the use of Referral Security Checking, what you mention about it is of course correct ... in a general sense. But think about it. If you block login2 and register2 as you mention you do, and as you mention you always will, then of course that has an effect. Otherwise, why block them?

At the same time, using ggn's anti-spam CAPTCHA hack makes the use of Referral Security Checking unnecessary.

So, instead of always blocking login2 and register2, an expert like you can surely give ggn's anti-spam CAPTCHA hack a try to see if it works for you. After all, you can always switch back to what you were doing.

In the meantime, you can at least see how effective ggn's anti-spam CAPTCHA hack really is when it comes to stopping spam-bots cold.

Other "experts" whom I generally admire, and whose advise I pretty much otherwise always follow, including the admin of this forum, they refuse to consider other options to stop spam-bots. It's not uncommon for otherwise brilliant people to get stuck in their own intelligence, which means they'll often only see things their way.

As Dandello wisely reminds us, "If you have only one solution to a problem - you're not trying!"

*************************************

xnoddyx wrote on May 23rd, 2013 at 10:47am:
... I will call the spam level we was getting 100% and after Proxy Blocking and Referral Security Checking for login2, register2 the spam level when down to 5 - 10% and that was a big improvement ...

Our spam-bot level has been at 0% since using ggn's anti-spam CAPTCHA hack, and that's without using Referral Security Checking at all.

« Last Edit: May 23rd, 2013 at 3:49pm by Bill Myers »  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: Stupid question regarding referrer security
Reply #7 - May 23rd, 2013 at 5:42pm
Post Tools
Bill Myers wrote on May 23rd, 2013 at 3:41pm:
The fact is, you're one of the best experts I've ever seen when it comes to operating YaBB. I've been seriously impressed when you've helped others with their problems. So for me personally, when you give advice about YaBB, I take it without question because I'm confident your advice will be solid, which simply means it should be followed.

thank you but i don't see myself as a expert as there are times I am still left like Huh

Bill Myers wrote on May 23rd, 2013 at 3:41pm:
That means, regarding the use of Referral Security Checking, what you mention about it is of course correct ... in a general sense. But think about it. If you block login2 and register2 as you mention you do, and as you mention you always will, then of course that has an effect. Otherwise, why block them?

ok from this I can see that you don't really understand what Referral Security Checking is doing in yabb so will try to explain it a bit some one may even explain it better than I can.

ok when you tell yabb to do something like goto the User CP this translates into you telling yabb to goto YaBB.pl?action=mycenter now if you have Referral Security Checking on but you have a check in the checkbox for mycenter in admin > Referrer Security then this tells yabb not to check the Referrer for mycenter
but if you don't have a check in the checkbox for mycenter then yabb will check the referral request so if you have your forum at abc123.com and the referral is from abc123.com then yabb will let it work but say yabb gets a referral request from 123abc.com then yabb will stop the request as it don't match the forums domain name of abc123.com and yabb will give you the error of
Quote:
This action is not allowed from an outside domain!!
Action is: mycenter
Your Domain: abc123.com
Referer Domain: 123abc.com

so as to
Bill Myers wrote on May 23rd, 2013 at 3:41pm:
then of course that has an effect. Otherwise, why block them?

so yes this has an effect, and the effect is that i want people that are registering or logging into my forum to be on my forum and not on website xyz or on a program on their computer like "link-post" < that one is that old I don't even think it works any more and also xrumer so that is why I have Referral Security Checking on and why it is also checking login2, register2.

i hope this better explains Referral Security Checking on yabb for you.
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,737
Location: Los Angeles

YaBB 2.4
Re: Stupid question regarding referrer security
Reply #8 - May 24th, 2013 at 1:49am
Post Tools
xnoddyx wrote on May 23rd, 2013 at 5:42pm:
... i hope this better explains Referral Security Checking on yabb for you.
Yes it does. Smiley

My preference is to have as much open access into our forum that there can reasonably be, and that means giving permission to outside domains to use our forum as they choose. With the exception of spam-bots, I'm all about choice. This is particularly true for open access through search engines.

Happily, I don't need to concern myself about what should be allowed, and what shouldn't. So deactivating Referral Security Checking makes sense for our forum. What's great about this is that YaBB's anti-spam tools are still able to effectively stop spam-bots cold without any of those restrictions.

Will I ever use Referral Security Checking again? If it's needed, sure. But again, it simply isn't needed any longer.

  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: Stupid question regarding referrer security
Reply #9 - May 25th, 2013 at 3:58pm
Post Tools
Bill Myers wrote on May 24th, 2013 at 1:49am:
My preference is to have as much open access into our forum that there can reasonably be, and that means giving permission to outside domains to use our forum as they choose.

in all regards and respect yabb's Referral Security Checking is more like (XSS) cross site scripting prevention for yabb forms and inputs and not having Referral Security Checking on for some items will leave you open for malicious ends not just spammers this is why i recommend that it is on for some items just the same way that you don't have a open ftp access on your website.
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,737
Location: Los Angeles

YaBB 2.4
Re: Stupid question regarding referrer security
Reply #10 - May 25th, 2013 at 4:33pm
Post Tools
xnoddyx wrote on May 25th, 2013 at 3:58pm:
... i recommend that it is on for some items just the same way that you don't have a open ftp access on your website.

Your point is well taken.  Smiley

  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
greydane
Junior Member
**
Offline



Posts: 61
Location: Windsor, Nova Scotia

YaBB 2.6.1
Re: Stupid question regarding referrer security
Reply #11 - May 25th, 2013 at 5:05pm
Post Tools
xnoddyx wrote on May 25th, 2013 at 3:58pm:
why i recommend that it is on for some items just the same way that you don't have a open ftp access on your website.



Hi Xnoddyx:

Bruce here.  Thanks for the explanation as I wasn't quite sure what the referrer security did.  So my question is, if referrer security is activated (ie. Checked under Security settings) what Board Actions should be checked off under the menu Referrer Security to prevent access from outside your Domain Name.  As Batchman stated, the Description of Referrer Security in Admin is confusing.  It reads as if you must Select (ie: Check off) the Board Action to ALLOW outside access.  From the explanations I gather that the proper procedure is to select (check off) the Board Actions to prevent outside access.  Is that correct and if so what Actions should I check off.

Hope this doesn't sound too confusing.  Thanks Bruce
« Last Edit: May 25th, 2013 at 5:06pm by greydane »  
Back to top
WWW  
IP Logged
 
xnoddyx
Support Team
Documentation Team
YaBB Moderators
YaBB Next Team
Beta Testers
****
Offline



Posts: 1,593
Location: UK:Scotland/livingston

None
Re: Stupid question regarding referrer security
Reply #12 - May 25th, 2013 at 5:20pm
Post Tools
Bill Myers wrote on May 25th, 2013 at 4:33pm:
xnoddyx wrote on May 25th, 2013 at 3:58pm:
... i recommend that it is on for some items just the same way that you don't have a open ftp access on your website.

Your point is well taken.  Smiley


Thank you it is just as i am a YaBB Support Team Member i also feel that it is my responsibility to prevent malicious harm to YaBB and all that run and use YaBB from the admins to it's Members and i am sorry if it sounded like i was being arrogant or dictating but i think it is better to make a decision on full information than on little or some information so at the end of the day if i can help with improving informed decision making then i am doing my job right and this is all i try and do.  Smiley
  

YaBB install help video
1. what yabb forum are you running and the url
2. describe in as much detail as you can what happens and also post screenshots if you can
3. please be patient we live in different time zones and have other commitments but we will help you
as bill and ted say (Be excellent to each other)
Back to top
IP Logged
 
Bill Myers
God Member
Beta Testers
*****
Offline



Posts: 1,737
Location: Los Angeles

YaBB 2.4
Re: Stupid question regarding referrer security
Reply #13 - May 25th, 2013 at 7:26pm
Post Tools
Regarding Referrer Security, if a check is in the box, then it's allowed.

But thankfully as I mentioned, I no longer need to activate Referral Security Checking. Smiley
  

Morning, noon, or night, have a great one!

Note: This forum doesn't allow for us to freely edit our posts or topics to make corrections as needed, so please remember to look for subsequent posts if you see any mistakes or outdated information. Sorry for the inconvenience.
Back to top
IP Logged
 
greydane
Junior Member
**
Offline



Posts: 61
Location: Windsor, Nova Scotia

YaBB 2.6.1
Re: Stupid question regarding referrer security
Reply #14 - May 25th, 2013 at 7:35pm
Post Tools
Bill Myers wrote on May 25th, 2013 at 7:26pm:
if a check is in the box, then it's allowed.



Allowed to do what? If the box in Board actions are checked does it Allow OUTSIDE ACCESS from your Domain Name or DENY OUTSIDE ACCESS to your Domain Name.  That was Batchman's original Question not whether to use it or not.  A straight forward answer to his question seem to have gotten lost in this thread.

Thanks Bruce
« Last Edit: May 25th, 2013 at 7:46pm by greydane »  
Back to top
WWW  
IP Logged
 
Page Index Toggle Pages: [1] 2 
Topic Tools